Hacker cost SF Muni $50,000 in lost fares, agency says

Muni may have saved $73,000 by refusing to give in to the demands of a cyberextortionist who hacked into the transit system’s computers. But the ransomware attack still cost the Municipal Transportation Agency an estimated $50,000 in lost fares, officials said Friday.

After Muni learned it had been hacked the night of Nov. 25, officials shut down the ticket machines in the Muni Metro system’s subway stations and threw open the fare gates. The actions were taken to stop the spread of the cyberattack and to ensure that passengers’ financial information couldn’t be accessed.

The rides remained free through last Saturday. Fare gates and ticket machines were back in service by Sunday morning.

MTA spokesman Paul Rose said Muni typically brings in $120,000 systemwide in cash and single-trip fares on a weekend day. That figure includes fares paid on buses, cable cars and Muni Metro both inside and outside the stations where a handful of fare gates were opened during the attack.

The ransomware attack was triggered when an employee clicked on an email attachment, pop-up or link. The attack affected about 900 Muni computers, locking their users out and displaying the message “You hacked” that instructed Muni officials to pay 100 bitcoin, a digital currency, worth about $73,000.

RELATED STORIES

MTA officials refused to pay up, never even communicating with the hacker, Rose said. Instead, the agency contacted the Department of Homeland Security and began restoring the frozen computer systems using backups. By Monday, the MTA’s computers were back in service.

When Muni declined to pay the ransom, the hacker then threatened to release confidential information he said he had obtained about passengers and employees. MTA officials, after consulting with Homeland Security and its internal computer security experts, decided the hacker was bluffing, and continued to ignore his demands.